- Article from RSA, although a few months old and missing some newer aspects of Magnitude, the fundamentals have not changed.
- A few previous Magnitude EK posts from me.
Downloads (in password protected zip)
Most notable about this flow is the change of the naming of the scriplet used by Magnitude EK.
The scriplet is called in the landing page. I have deobfuscated most of it and you can see the call to the “.bmp” scriplet. Previous it has been “.ico”.
This is the scriplet mostly deobfuscated with some variables renamed. Here you can see an executable is dropped and ran with cmd. These executables always fail and are 0 kb. I’m not sure why this is the case.
If you enlarge this picture you will see a condensed version of all the processes that were run on the endpoint.
The payload is Cerber Ransomware. This version calls itself “CBRB”.
This version of a Cerber is at least a week old (UDP patterns are identical but sample is fresh from 3rd) however it still does a good job at evading a lot of AV vendors.
|Detection ratio:||14 / 61|